Видео

I don't remember testing with Auth0. I remember testing with Cognito and it worked fine. We can't validate if ALB is getting the refresh token. But, you can check the Auth0 logs to see if token endpoint is getting called by ALB after the access token expires. Please like, subscribe & share this video / channel !! Thanks in advance.

Are you referring to /oauth/token endpoint call?

Looks like somewhere the configuration specifies issuer as empty string. Is this error thrown during SpringBoot server start process?

@@securityinaction1018 i am getting this error when i try to hit the url in postman to getuser with token

It's difficult to debug without seeing the issue. I am not sure where the issue is happening. You can enable debug logs in SpringBoot app and see if you can find any details there

@@securityinaction1018 i tried debugging the application.. but that’s not possible… whenever i hit the localhost url in postman i m getting 401 error and in logs i can see jwtdecoderinitializationexpection: failed to lazily resolve the supplied jwtdecoder i stance

Ok. If it is ok with you, post the spring application.yaml file configuration here. I think something might be wrong in that config.

Can you point the exact time in the video where it is mentioned? I can check and let you know

@@securityinaction1018 9:01

Ok, I tried it again. If you select "Allow people to log in with their Facebook accounts" instead of "Other", it doesn't support OAuth2 login which is required for Cognito integration. I think "Allow people to log in with their Facebook accounts" is for apps which directly integrate with Facebook login without any middle layer like Cognito.

@@securityinaction1018 Ahh, that explains the issues I've been having. Thank you so much!

Glad it worked!! Please like, subscribe & share this video / channel !! Thanks in advance.

I have not tried it. But looks like it is possible as per this docs learn.microsoft.com/en-us/security/zero-trust/develop/configure-tokens-group-claims-app-roles Please like, subscribe & share this video / channel !! Thanks in advance.

Glad it was helpful! Please like, subscribe & share this video / channel !! Thanks in advance.

Welcome!! Please like, subscribe & share this video / channel !! Thanks in advance.

You're welcome! Please like, subscribe & share this video / channel !! Thanks in advance.

Sure. Please like, subscribe & share this video / channel !! Thanks in advance.

Can you elaborate the question? What is dynamic user ID?

You're most welcome!! Please like, subscribe & share this video / channel !! Thanks in advance.

This is for browser based flows i.e. authenticating a Auth0 user through Cognito using SAML federation. Can you elaborate what do you mean by using it for APIs?

@@securityinaction1018 I would like to authenticate and authorize api usage

This video might be useful. It is just for reference. If you are using API GW service, it will be a different setup. ruclips.net/video/66rCfs-3egI/видео.html - How to secure SpringBoot REST APIs using Auth0 OAuth2 scopes? ruclips.net/video/7zyhENQRb7c/видео.html - How to secure SpringBoot REST APIs using AWS Cognito OAuth2 scopes?

You cannot integrate AuzreAD with Cognito using OAuth client credentials flow. Since it is OIDC, it supports only authorization code grant flow. Please like, subscribe & share this video / channel !! Thanks in advance.

@@securityinaction1018 I thought so too.. thank you for the confirmation. Thanks to AWS marketing buzz where in devil lies underneath :-D

:) Welcome. If you can explain your use case, I can try my best to help.

@@securityinaction1018 we want to expose existing API and manage in a API management platform. Unfortunately AWS API GW is suggested 😅. So we want to protect the API endpoints ( expose them to internal application, so REST API is choice) & security compliance is to use Azure AD to maintain users, groups, app registrations for M2M use cases.. In this context I ended up in the hands of Cognito ..

Ok. If you want to use a AzureAD M2M client_credentials token for securing APIs hosted in AWS API GW, you can either use custom authorizer or JWT authorizer. JWT authorizer supports only HTTP APIs docs.aws.amazon.com/apigateway/latest/developerguide/http-api-jwt-authorizer.html

Welcome aboard! Thank you :)

I have not tried with these specific versions. But, I guess it should work as long as Spring didn't change any of those OIDC related configurations

I have not worked on SecureAuth. I will try to post a video in future.

Thanks for the response. I will be waiting for the video

Domain cannot be configured without enabling Hosted UI.

Glad it helped!! Please like, subscribe & share this video / channel !! Thanks in advance.

I have not tried it myself. You can check this doc learn.microsoft.com/en-us/entra/identity-platform/optional-claims?tabs=appui I will try to post a video in future once I find the solution. Thanks for subscribing!!

Here are some links which will clear the confusion : learn.microsoft.com/en-us/answers/questions/1556632/confusion-around-azure-ad-b2c-vs-microsoft-entra-e learn.microsoft.com/en-us/entra/external-id/customers/faq-customers#is-microsoft-entra-external-id-a-new-name-for-azure-ad-b2c Please like, subscribe & share this video / channel !! Thanks in advance.

This video uses client credentials grant which is not user specific. For user based authorization, you need to use authorization code grant, get access tokens and use those access tokens for accessing the APIs. Please like, subscribe & share this video / channel !! Thanks in advance.

@@securityinaction1018 Any tutorial is present regarding user specific scopes configuration? I wanted scopes at user level and not at app client level

This video uses client credentials grant which is not user specific. For user based authorization, you need to use authorization code grant, get access tokens and use those access tokens for accessing the APIs. Please like, subscribe & share this video / channel !! Thanks in advance.

Glad you liked it! Please like, subscribe & share this video / channel !! Thanks in advance.

You can check this blog aws.amazon.com/blogs/security/how-to-secure-api-gateway-http-endpoints-with-jwt-authorizer/

I have not tried that. In case I get a chance to do a POC, will surely post a video.

Glad it worked! Please follow these instructions to assign the app to only certain users /groups learn.microsoft.com/en-us/entra/identity-platform/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment Please note that group assignment is available only for certain plans and not for free developer account. Please like, subscribe & share this video / channel !! Thanks in advance.

Sorry, I am not aware of that. If you can share any websites on how it needs to be done, I will surely take a look.

@@securityinaction1018 I'd recommend googling "how to add timestamps to youtube video" and it'll teach you how. Thanks for the video again! Helped a lot.

Glad it helped. Sure, will check it out. Please like, subscribe & share this video / channel !! Thanks in advance.

I am not sure what is really happening since it is difficult to find out without debugging. May be the user credentials that you are using is not assigned to that particular Okta application. But, I am not 100% sure.

Glad it helped! Please like, subscribe & share this video / channel !! Thanks in advance.

Glad it was helpful! Please like, share & subscribe to this channel!

I am sorry that I don't have knowledge on Owncloud.

It looks like a wrong issuer. registeredDomain/{tenantId} are placeholders. You need to replace that with the actual values. Please like, subscribe & share this video / channel !! Thanks in advance.

Thank you!! I don't have much knowledge on how to read emails from Microsoft personal accounts. I have done some POCs on reading emails from GMail accounts. I am assuming it should be similar in MS. Basically, you need OpenID Connect flow to get ID token, access token for a particular user and the access token should have the scopes to read emails. Please like, subscribe & share this video / channel !! Thanks in advance.

Do you want to generate a token using client_credentials grant or authorization code grant? Please like, subscribe & share this video / channel !! Thanks in advance.

@@securityinaction1018 I want to try both client_credentials and authorisation code.

You can refer this on how to add roles as a claim to the access token documentation auth0.com/docs/get-started/apis/enable-role-based-access-control-for-apis Please like, subscribe & share this video / channel !! Thanks in advance.

Thank you so much !! I will keep trying my best to post quality videos. Please like, subscribe & share this video / channel !! Thanks in advance.

Can you elaborate your question? AWS console login is different from AWS IAM Identity Center login because both have different login pages and credentials.

@@securityinaction1018 like I have react application login once I log in using aws login and open aws console it should be auto sign in and visa-versa.

Thank you. Glad it was helpful! Please like, subscribe & share this video / channel !! Thanks in advance.

This video talks about web integration using OIDC protocol. If I am not wrong, the use case that you described refers to a client app calling 100 microservices. Is it one client app calling 100 services?

@@securityinaction1018 Sorry I have been watchin many of your videos and was generic here with regards to the question. I am not talking about web integration with OIDC. I was asking about API to API inter service calls using an access token based authorization such as okta. Do I need separate client id, client secret for all? Or if all the 100 services are under an app portfolio, is it fine to create one pair and reuse?

Firstly, you need to identify whether all these are internal or external facing APIs. You can have different strategies depending on that. Assuming all are external facing APIs, it is always recommended to have separate client ID / secret for each client. The main reason for that is let's say one of the client ID / secret got leaked to a hacker and you are planning to reset the client secret, all the client apps have to be modified which will cause a downtime. However, please note that there might be some limit on number of applications that you can create in Okta. Please check with Okta support.

@@securityinaction1018 Thanks!

Glad it helped! I will surely post a video. But, for now, you can refer the below videos to get an idea of how it might work : ruclips.net/video/o2IM9oI6Eqk/видео.html - How to integrate Java Spring Boot application with AWS Cognito using OIDC? ruclips.net/video/QEtP385kSUc/видео.html - How to integrate AWS Cognito with Facebook Social Login? ruclips.net/video/7r0eBNBNEZ8/видео.html - How to integrate AWS Cognito with Google Social login? ruclips.net/video/NeeKN8IpyOY/видео.html - How to integrate Java Spring Boot application with Google sign-in using OIDC?

If you are referring to AWS QuickSight, I see some documentation here docs.aws.amazon.com/quicksight/latest/user/external-identity-providers.html. I have not tried this. Once I work on this, will post a video about this.

Glad it helped!! Please like, subscribe & share this video to support this channel !! Thanks in advance.

You can customize the login page as per Spring docs. I have not tried that.

You can checkout some vides on OAuth basics. But, I don't have a detailed video on OAuth, OIDC or SAML basics. I wanted to post a series of videos. I will try to work on that in future. Please like, subscribe & share this video to support this channel !! Thanks in advance.

All these validations are taken care by SpringBoot security classes. You can customize this which is generally not required. Refer this documentation for more details : docs.spring.io/spring-security/reference/servlet/oauth2/login/advanced.html#oauth2login-advanced-idtoken-verify Please like, subscribe & share this video to support this channel !! Thanks in advance.

Welcome! Please like, subscribe & share this video to support this channel !! Thanks in advance.

Thanks for the feedback. I will try my best to keep improving the quality of audio & video. Please like, share & subscribe to support this channel.

You can try changing the token lifetime as mentioned here learn.microsoft.com/en-us/entra/identity-platform/configurable-token-lifetimes and that should change the exp claim accordingly. I have not tried that. But, I think it should work. Please like, subscribe & share!! Thanks in advance.